Patrick Plate
fe6e96dd3f
Shadboard starter-kit (Next.js 15 + React 19 + shadcn/ui + Tailwind 4) Sprint 4.a — Admin Dashboard: - Auth: NextAuth.js v5, login page, middleware, token rotation - Dashboard: KPI cards, Recharts stock chart, quick actions - Members: TanStack Table (search/sort/paginate), add/edit forms - Distributions: multi-step form, real-time quota check, history - Stock: batch management, recall dialog, bar chart - Reports: monthly/member-list/recall, PDF/CSV download, preview Sprint 4.b — Member Portal: - Separate route group with top-nav layout (mobile-first) - Quota dashboard with radial SVG progress indicators - Distribution history with month filter - Profile/settings with password change Cross-cutting: - i18n: German (default) + English via next-intl - Dark + light mode (next-themes, user-togglable) - Playwright E2E tests (6/6 green) - Docker multi-stage build (node:22-alpine) - API proxy via Next.js rewrites Tech: Next.js 15.2.8, React 19, Tailwind 4, NextAuth v5, TanStack Table, Recharts, Zod, React Hook Form, Playwright
4.7 KiB
4.7 KiB
CannaManage — Sprint 5 Planning Backlog
Date: 2026-06-12 Author: Patrick Plate / Lumen (Planner) Status: Backlog (not yet planned) Prerequisite: Sprint 4 completion (Frontend MVP)
Purpose
This document captures features and improvements deferred from Sprint 4 during the persona review process. These items are the "known gaps" that prevent all 6 review personas from scoring ≥90%. They represent the natural next iteration after the frontend MVP is delivered.
Deferred Items (from Sprint 4 Persona Review)
High Priority (multiple personas impacted)
| # | Feature | Source Personas | Expected Impact |
|---|---|---|---|
| 1 | Staff Management UI — invite flow, permission editor, activity log | 🏢 Owner, 🛡️ Compliance | Owner +10%, Compliance +3% |
| 2 | Notification System — email alerts for recalls, quota resets, new batches; WebSocket for real-time updates | 👤 Member, 🏢 Owner, 🎨 UX | Member +8%, Owner +5% |
| 3 | Inspector Read-Only Mode — time-limited token for Behörde officials to browse audit logs without admin assistance | 🛡️ Compliance, 🏢 Owner | Compliance +8% |
| 4 | Club Settings UI — email whitelist, prevention officer limit, club profile editing | 🏢 Owner | Owner +5% |
Medium Priority (UX polish + compliance hardening)
| # | Feature | Source Personas | Expected Impact |
|---|---|---|---|
| 5 | PWA Manifest + Service Worker — home-screen installable, offline quota cache | 👤 Member, 🎨 UX | Member +5%, UX +3% |
| 6 | Micro-interactions & Page Transitions — Framer Motion fade-in, form animations | 🎨 UX | UX +5% |
| 7 | Distribution Form Progress Stepper — visual 3-step indicator (Select Member → Batch → Confirm) | 🎨 UX | UX +3% |
| 8 | Monthly Report Auto-Sealing — auto-generate + SHA-256 hash at month-end, store sealed PDF | 🛡️ Compliance | Compliance +5% |
| 9 | Cryptographic Hash Chain — SHA-256 linking distribution records for tamper-evidence | 🛡️ Compliance, 🔒 Security | Compliance +5% |
Lower Priority (nice-to-have)
| # | Feature | Source Personas | Expected Impact |
|---|---|---|---|
| 10 | Portal Visual Differentiation — subtle accent color shift or branding to distinguish member portal from admin | 🎨 UX | UX +2% |
| 11 | Nonce-Based CSP — eliminate unsafe-inline/unsafe-eval with Next.js middleware nonces |
🔒 Security | Security +3% |
| 12 | Date-Range Reports — custom period report (Q1, ad-hoc date range) beyond month picker | 🏢 Owner | Owner +3% |
| 13 | 2FA (TOTP) — optional two-factor authentication for members and staff | 👤 Member, 🔒 Security | Security +3%, Member +3% |
| 14 | SWR/React Query — client-side data cache for real-time updates without full page refresh | 💻 Developer | Developer +2% |
Estimated Sprint 5 Scope
Based on priority and effort, a reasonable Sprint 5 scope would be:
Sprint 5.a — Staff & Settings (~5 days)
- Staff management UI (list, invite, permission editor, activity log)
- Club settings page (email whitelist, prevention officer limit)
- Date-range report picker
Sprint 5.b — Notifications & PWA (~5 days)
- Email notification system (recall alerts, quota reset reminders)
- WebSocket real-time quota updates
- PWA manifest + service worker (offline quota cache)
- Distribution form progress stepper
- Page transitions (Framer Motion)
Technical Prerequisites
| Feature | Backend Changes Needed |
|---|---|
| Notifications | Email templates, event bus (Spring ApplicationEvents), WebSocket endpoint |
| Inspector mode | New auth scope, time-limited read-only token endpoint |
| Report sealing | Scheduled job (month-end), SHA-256 hash storage, sealed PDF S3/filesystem |
| Hash chain | Migration: add prev_hash column to distributions table |
| 2FA | TOTP library (e.g., dev.samstevens.totp), QR code endpoint, recovery codes |
Open Questions (for Sprint 5 planning)
- Should notifications use email only, or also in-app (bell icon) + push (web push API)?
- Inspector mode: do we build a full separate UI, or just a token that grants read-only API access (inspector uses existing admin UI)?
- PWA: offline-first for quota only, or cache entire portal for offline viewing?
- 2FA: mandatory for staff, optional for members? Or optional for everyone?
- Report sealing: store sealed PDFs in S3 or local filesystem?
References
- Sprint 4 Plan:
docs/sprint-4/cannamanage-sprint4-plan.md(v3) - Sprint 4 Persona Review:
docs/sprint-4/cannamanage-sprint4-plan-persona-review.md(Iteration 2) - Sprint 3 Plan:
docs/sprint-3/cannamanage-sprint3-plan.md